How Microsoft IT Uses Windows Server 2012 to Deliver a Flexible, Robust, Secure Remote Access Solution
Quick Reference Guide
Published December 2012
Microsoft IT deployed an out-of-the-box remote access solution based on Windows Server 2012. DirectAccess provides remote access from trusted, fully managed corporate devices and VPN provides remote access from consumer-based devices.
Quick Reference Guide, 309 KB, Microsoft Word file
Situation: Twenty-first century computing has changed the way people and businesses use technology. Information workers are highly mobile. They work at multiple locations with a diverse range of devices.
Businesses need to adapt to this new flexible work style. To remain agile, businesses must find new ways that enable technology to facilitate worker productivity and satisfaction while reducing cost.
Consumerization of Information Technology (IT) has the potential for improving collaboration and productivity—and for increasing employee satisfaction through the latest and greatest software and hardware. IT professionals are challenged with providing an on-premises experience to a diverse set of remote workers while protecting business-critical data and intellectual property. They need to change their thinking and processes, using technology to minimize the impact on productivity without driving up business costs to support mobile workers and ensure that the solution provides the flexibility to support business-continuity scenarios.
Why You Should Care:
- Seamless remote access significantly enhances information workers’ ability to work remotely.
- Business agility increases when remote access solutions allow secure, anytime, anywhere access to corporate resources.
- DirectAccess (DA) enables IT professionals to support remote access in a secure, manageable way that enables them to lower their total cost of ownership (TCO) for supporting remote access end users.
- Virtual private network (VPN) provides enterprises the flexibility to meet the challenges of Consumerization of IT scenarios.
Planning Remote Access At Microsoft
In order to maximize employee productivity, Microsoft employees need to be able to work remotely, with access to corporate resources (file shares, internal websites, applications, and so on) from wherever they are. Microsoft Information Technology (Microsoft IT) experiences the same challenges as other enterprises in supporting their mobile users. They must constantly evaluate their service offerings for mobile users to ensure that the offerings meet the needs of Microsoft and Microsoft users.
With the release of Windows Server® 2012, Microsoft IT evaluated their remote access service offerings. They used a multistep approach to plan a flexible, robust, and secure solution based on Windows Server 2012.
Determine a Security Model
Microsoft IT needed to put processes, policies, and governance in place to ensure the secure use of remote access. At Microsoft, full-time employees (FTEs) receive remote access by default but non-full-time employees, such as vendors and contingent staff, do not. For non-FTEs, remote access is requested by the user's Microsoft manager or sponsor and must be approved by a General Manager. Once approved, the user's account is added to a remote access security group, which is then managed through group policies.
Select a Remote Access Technology
Microsoft IT evaluated the two primary technologies used to provide remote access: virtual private network (VPN) and DirectAccess (DA).
VPN leverages the Routing and Remote Access Service (RRAS) built into Windows Server 2012 to provide VPN services for Microsoft users to access the corporate network securely over the Internet as if they were directly connected. It supports a wide variety of clients, either through the Connection Manager client or via third-party VPN software.
One of the limitations of VPN is it does not provide a seamless user experience for Microsoft information workers:
Connecting to a VPN takes several steps and requires the user to wait for authentication. During the initial connection, Microsoft IT checks the health and compliance of the computer before allowing the connection to ensure security, extending the time to establish a VPN connection to several minutes.
- Any time users lose their Internet connection, they must re-establish the VPN connection.
- VPN connections are not always on, increasing the risk of a computer becoming unmanaged and unhealthy when the user does not connect to the Microsoft corporate network over VPN for days or weeks.
- DirectAccess, introduced with Windows Server 2008, allows connectivity to Microsoft corporate network resources without the need for traditional VPN connections. DirectAccess in Windows Server 2012 provides Microsoft IT with a scalable, secure remote access solution where remote workers have the same experience working remotely as they would if they were working in the office. DirectAccess is seamless and always on. It overcomes the limitations of VPN by automatically establishing a bi-directional connection to the corporate network every time the user’s DirectAccess-enabled portable computer is connected to the Internet, even before the user logs on.
DirectAccess provides Microsoft IT with the following benefits:
- Increased user productivity. With DirectAccess, users never have to think about whether they are connected to the corporate network. DirectAccess is on whenever the user has an Internet connection, allowing users to focus more on productivity and less on connectivity options and process.
- Remote management. Microsoft IT can connect directly to DirectAccess client computers to monitor them, manage them, and deploy updates, even when the user is not logged on. This reduces Microsoft IT's cost of managing remote computers by keeping them up-to-date with critical updates and configuration changes.
- Improved security. Security is derived from utilizing IPSec over IPv6 with two-factor authentication and by using Network Access Protection (NAP) to ensure computers are compliant with Microsoft IT security and configuration requirements before they are given access to the corporate network.
What Microsoft IT determined was that while they wanted to move towards an all DirectAccess service offering, VPN provides support for Consumerization of IT scenarios and allows Microsoft IT to remain flexible enough to accommodate change and to extend remote access to consumer devices.
This translates into two main remote access models for Microsoft:
- Enterprise device access model where DirectAccess is the primary offering and VPN is the secondary offering. In this access model, the remote worker is using an x86/x64 based computer that is fully managed and provisioned by Microsoft IT. The user's hardware and operating system determines whether DirectAccess or VPN is used. To use DirectAccess, Microsoft IT requires either a Windows® 7 or Windows 8 client that is domain joined, Microsoft BitLocker® enabled, and running on hardware that supports a Trusted Platform Module (TPM) chip. For Windows 7 or Windows 8 clients that are not domain joined, or that do not have a TPM chip, VPN is used for remote access. VPN is also used when users with earlier versions of Windows clients need remote access.
- Consumer device access model where VPN provides access for remote workers. In this access model, the remote worker is using a consumer-based device, such as a Windows RT or Windows Phone device that is not managed or provisioned by Microsoft IT.
Design and Deploy the Solution
Once Microsoft IT determined the technologies, the process of defining server roles, locations, load balancing, and so on took place and finally the deployment of the servers to various Microsoft data centers.
Designing And Deploying Directaccess At Microsoft
Microsoft IT is deploying a new DirectAccess implementation, based on Windows Server 2012 and Windows 8 DirectAccess across key data center sites globally. When Microsoft IT initially deployed DirectAccess, customization was required to support all their management and security needs and to scale the solution to support a very large enterprise. With Windows Server 2012, Microsoft IT is able to deploy an out-of-the-box DirectAccess solution, which provides Microsoft IT with:
- Reduced support costs. DirectAccess enables Microsoft to move away from their Connection Manager VPN client by using the out-of-the-box support built into the Windows 8 clients, reducing helpdesk calls to configure and troubleshoot connectivity issues. DirectAccess provides important cost-saving tools that enable Microsoft Internet connected offices (ICOs) to maintain efficient and secure connections to the corporate network instead of spending an estimated $300,000 needed to upgrade each facility to a dedicated connection.
- Increased business agility. Microsoft IT is tasked with planning for disaster recovery and business continuity, enabling the recovery of business systems as quickly and efficiently as possible while ensuring the physical safety of employees. This was tested during the Japan earthquake on Friday, March 11, 2011. DirectAccess was a key technology component that helped solve the immediate issue of physical safety, allowing employees to work from mobile locations without being tied to the central office locations.
While moving to Windows Server 2012 did not require infrastructure changes, Microsoft IT wanted to ensure that they optimized their infrastructure as part of the deployment.
- In evaluating their remote access infrastructure, Microsoft IT found that the DirectAccess servers were not always located in the closest data center for a given user concentration, creating latency. To solve this, Microsoft IT optimized performance for users in low bandwidth/high latency scenarios by providing a geographically dispersed infrastructure. Windows 8 clients automatically select the closest entry point.
- Another change was improving Internet performance through VPN. Microsoft IT now employs split tunneling where only corporate network traffic is routed through the VPN connection, and Internet traffic is routed through the computer's normal Internet connection.
Some of the other key features and benefits of Windows Server 2012 that Microsoft IT was able to take advantage of include:
Ease of deployment
- Simplified out-of-the-box deployment and configuration
- Simplified provisioning with access managed via Group Policy Object
- Reduced infrastructure costs for deployment
- Out-of-the-box support for connectivity to IPv4 servers
- Deployment only for remote management of mobile computers
Improved performance and scalability
- Reduced server footprint
- Native multisite deployment capabilities
- Higher scalability and support for network load balancing (NLB) and external load balancer
- Improved performance in virtualized environments
- Split tunneling optimizes traffic flows into the corporate network
- Underlying platform improvements, including better VPN performance on Windows Server 2012 approved hardware
- Unified management experience
- Enriched experience for monitoring remote client activity and status
- Reporting and accounting capabilities for audit and compliance
- Rich Windows PowerShell™ management interface
- Intuitive connectivity status and troubleshooting for remote clients
Improved user experience
- Supports two factor authentication—leveraging TPM with virtual smart cards to drive better user experience
Support for new scenarios
- Multisite support, including deployment to new sites from simple console
- One-time password (OTP)
- Provisioning support for off-premises clients
- Support for deploying DirectAccess server behind a network address translation (NAT) device
Next Generation Of Remote Access At Microsoft
How will Microsoft IT change remote access in the future? Microsoft IT continually looks to improve the services they offer their customers. One area that is under consideration in future releases of remote access is providing a variable user experience. Microsoft IT would leverage multiple connectivity technologies to vary the user experience depending on how the device is trusted. This is especially important to continue supporting consumer devices.
Two years ago, Microsoft IT considered discontinuing support for VPN as newer technologies provided a much more elegant, secure user experience. Then, the industry shift to Consumerization of IT changed how Microsoft IT thought about remote access. They determined that both DirectAccess and VPN had their place with DirectAccess being well suited for enterprise scenarios and VPN, a more mature, customizable solution, being a better fit for consumer scenarios, especially as the hardware and security features of consumer devices evolve to meet enterprise standards. The choice to keep VPN as part of their service offerings provides Microsoft IT with the best of both worlds: a VPN solution for consumer devices and a DirectAccess solution for trusted, fully managed devices. Deploying an out-of-the-box solution using Windows 8 and Windows Server 2012 DirectAccess provides Microsoft with a flexible, robust, secure solution where remote workers have seamless, always-on connectivity to the corporate network, enabling a consistent user experience regardless of location. In addition, the choice provides an improved experience for Microsoft IT through better management, performance, and deployment functionality.
User Education Resources
- Windows Server 2012 Identity and Access, White Paper http://download.microsoft.com/download/2/3/F/23FFD7B6-D58C-4270-A5D3-E34AEBEDCF77/WS%202012%20White%20Paper_Identity%20and%20Access.pdf
- Using DirectAccess to Provide Secure Access to Corporate Resources from Anywhere, Technical Case Study http://technet.microsoft.com/library/dd819155.aspx
- Networking and Access Technologies, TechNet Article http://technet.microsoft.com/network/dd420463.aspx DirectAccess
- Remote Access (DirectAccess, Routing and Remote Access) Overview, TechNet Article http://technet.microsoft.com/library/hh831416
- Consumerization of IT within Microsoft, Quick Reference Guide http://technet.microsoft.com/library/hh315814.aspx
- Disaster Recovery and Business Continuity Planning in Action: Japan 2011 http://technet.microsoft.com/library/hh308205.aspx